Fixed a crash when slice/session overflow (#1637)

src/amf/context.c

@@ -2057,7 +2057,9 @@ void amf_clear_subscribed_info(amf_ue_t *amf_ue)
 
     ogs_assert(amf_ue);
 
+    ogs_assert(amf_ue->num_of_slice <= OGS_MAX_NUM_OF_SLICE);
     for (i = 0; i < amf_ue->num_of_slice; i++) {
+        ogs_assert(amf_ue->slice[i].num_of_session <= OGS_MAX_NUM_OF_SESS);
         for (j = 0; j < amf_ue->slice[i].num_of_session; j++) {
             ogs_assert(amf_ue->slice[i].session[j].name);
             ogs_free(amf_ue->slice[i].session[j].name);

src/amf/gmm-handler.c

@@ -1000,6 +1000,11 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
 
 
             for (i = 0; i < amf_ue->num_of_slice; i++) {
+                if (i >= OGS_MAX_NUM_OF_SLICE) {
+                    ogs_warn("Ignore max slice count overflow [%d>=%d]",
+                            amf_ue->num_of_slice, OGS_MAX_NUM_OF_SLICE);
+                    break;
+                }
                 if (ul_nas_transport->presencemask &
                         OGS_NAS_5GS_UL_NAS_TRANSPORT_S_NSSAI_PRESENT) {
                     ogs_nas_s_nssai_ie_t ie;
@@ -1015,6 +1020,12 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
                     }
                 }
                 for (j = 0; j < amf_ue->allowed_nssai.num_of_s_nssai; j++) {
+                    if (j >= OGS_MAX_NUM_OF_SLICE) {
+                        ogs_warn("Ignore max slice count overflow [%d>=%d]",
+                                amf_ue->allowed_nssai.num_of_s_nssai,
+                                OGS_MAX_NUM_OF_SLICE);
+                        break;
+                    }
                     if (amf_ue->slice[i].s_nssai.sst ==
                             amf_ue->allowed_nssai.s_nssai[j].sst &&
                         amf_ue->slice[i].s_nssai.sd.v ==
@@ -1025,6 +1036,13 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
 
                             for (k = 0;
                                     k < amf_ue->slice[i].num_of_session; k++) {
+                                if (k >= OGS_MAX_NUM_OF_SESS) {
+                                    ogs_warn("Ignore max session "
+                                        "count overflow [%d>=%d]",
+                                        amf_ue->slice[i].num_of_session,
+                                        OGS_MAX_NUM_OF_SESS);
+                                    break;
+                                }
                                 if (!strcmp(dnn->value,
                                             amf_ue->slice[i].session[k].name)) {
 

src/hss/hss-s6a-path.c

@@ -566,7 +566,15 @@ static int hss_ogs_diam_s6a_ulr_cb( struct msg **msg, struct avp *avp,
             struct avp *pdn_gw_allocation_type;
             struct avp *vplmn_dynamic_address_allowed;
 
-            ogs_session_t *session = &slice_data->session[i];
+            ogs_session_t *session = NULL;
+
+            if (i >= OGS_MAX_NUM_OF_SESS) {
+                ogs_warn("Ignore max session count overflow [%d>=%d]",
+                    slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                break;
+            }
+
+            session = &slice_data->session[i];
             ogs_assert(session);
             session->context_identifier = i+1;
 

src/hss/hss-swx-path.c

@@ -592,7 +592,15 @@ static int hss_ogs_diam_swx_sar_cb( struct msg **msg, struct avp *avp,
             struct avp *pdn_gw_allocation_type;
             struct avp *vplmn_dynamic_address_allowed;
 
-            ogs_session_t *session = &slice_data->session[i];
+            ogs_session_t *session = NULL;
+
+            if (i >= OGS_MAX_NUM_OF_SESS) {
+                ogs_warn("Ignore max session count overflow [%d>=%d]",
+                    slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                break;
+            }
+
+            session = &slice_data->session[i];
             ogs_assert(session);
             session->context_identifier = i+1;
 

src/mme/mme-context.c

@@ -3281,6 +3281,7 @@ void mme_session_remove_all(mme_ue_t *mme_ue)
 
     ogs_assert(mme_ue);
 
+    ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
     for (i = 0; i < mme_ue->num_of_session; i++) {
         if (mme_ue->session[i].name)
             ogs_free(mme_ue->session[i].name);
@@ -3297,6 +3298,7 @@ ogs_session_t *mme_session_find_by_apn(mme_ue_t *mme_ue, char *apn)
     ogs_assert(mme_ue);
     ogs_assert(apn);
 
+    ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
     for (i = 0; i < mme_ue->num_of_session; i++) {
         session = &mme_ue->session[i];
         ogs_assert(session->name);
@@ -3314,6 +3316,7 @@ ogs_session_t *mme_default_session(mme_ue_t *mme_ue)
 
     ogs_assert(mme_ue);
 
+    ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
     for (i = 0; i < mme_ue->num_of_session; i++) {
         session = &mme_ue->session[i];
         if (session->context_identifier == mme_ue->context_identifier)

src/mme/mme-fd-path.c

@@ -913,8 +913,14 @@ static void mme_s6a_ula_cb(void *data, struct msg **msg)
                  */
                 case OGS_DIAM_S6A_AVP_CODE_APN_CONFIGURATION:
                 {
-                    ogs_session_t *session =
-                        &slice_data->session[slice_data->num_of_session];
+                    ogs_session_t *session = NULL;
+
+                    if (slice_data->num_of_session >= OGS_MAX_NUM_OF_SESS) {
+                        ogs_warn("Ignore max session count overflow [%d>=%d]",
+                            slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                        break;
+                    }
+                    session = &slice_data->session[slice_data->num_of_session];
                     ogs_assert(session);
 
                     /* AVP: 'Service-Selection'(493)

src/mme/mme-s11-handler.c

@@ -1111,7 +1111,7 @@ void mme_s11_handle_release_access_bearers_response(
      * Check MME-UE Context
      ***********************/
     if (!mme_ue_from_teid) {
-        ogs_error("No Context in TEID");
+        ogs_error("No Context in TEID [ACTION:%d]", action);
     }
 
     /********************
@@ -1123,7 +1123,7 @@ void mme_s11_handle_release_access_bearers_response(
 
         cause_value = cause->value;
         if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED)
-            ogs_error("GTP Failed [CAUSE:%d]", cause_value);
+            ogs_error("GTP Failed [CAUSE:%d, ACTION:%d]", cause_value, action);
     }
 
     /********************

src/mme/mme-s6a-handler.c

@@ -67,10 +67,13 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue,
 
     mme_session_remove_all(mme_ue);
 
-    mme_ue->num_of_session = slice_data->num_of_session;
-    mme_ue->context_identifier = slice_data->context_identifier;
-
     for (i = 0; i < slice_data->num_of_session; i++) {
+        if (i >= OGS_MAX_NUM_OF_SESS) {
+            ogs_warn("Ignore max session count overflow [%d>=%d]",
+                    slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+            break;
+        }
+
         mme_ue->session[i].name = ogs_strdup(slice_data->session[i].name);
         ogs_assert(mme_ue->session[i].name);
 
@@ -89,4 +92,7 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue,
         memcpy(&mme_ue->session[i].smf_ip, &slice_data->session[i].smf_ip,
                 sizeof(mme_ue->session[i].smf_ip));
     }
+
+    mme_ue->num_of_session = i;
+    mme_ue->context_identifier = slice_data->context_identifier;
 }

src/udr/nudr-handler.c

@@ -539,13 +539,26 @@ bool udr_nudr_dr_handle_subscription_provisioned(
         ogs_assert(SubscribedSnssaiInfoList);
 
         for (i = 0; i < subscription_data.num_of_slice; i++) {
+            if (i >= OGS_MAX_NUM_OF_SLICE) {
+                ogs_warn("Ignore max slice count overflow [%d>=%d]",
+                    subscription_data.num_of_slice, OGS_MAX_NUM_OF_SLICE);
+                break;
+            }
             slice_data = &subscription_data.slice[i];
 
             DnnInfoList = OpenAPI_list_create();
             ogs_assert(DnnInfoList);
 
             for (j = 0; j < slice_data->num_of_session; j++) {
-                ogs_session_t *session = &slice_data->session[j];
+                ogs_session_t *session = NULL;
+
+                if (j >= OGS_MAX_NUM_OF_SESS) {
+                    ogs_warn("Ignore max session count overflow [%d>=%d]",
+                        slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                    break;
+                }
+
+                session = &slice_data->session[j];
                 ogs_assert(session);
                 ogs_assert(session->name);
 
@@ -662,7 +675,15 @@ bool udr_nudr_dr_handle_subscription_provisioned(
         dnnConfigurationList = OpenAPI_list_create();
 
         for (i = 0; i < slice_data->num_of_session; i++) {
-            ogs_session_t *session = &slice_data->session[i];
+            ogs_session_t *session = NULL;
+
+            if (i >= OGS_MAX_NUM_OF_SESS) {
+                ogs_warn("Ignore max session count overflow [%d>=%d]",
+                    slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                break;
+            }
+
+            session = &slice_data->session[i];
             ogs_assert(session);
             ogs_assert(session->name);
 
@@ -1024,7 +1045,15 @@ bool udr_nudr_dr_handle_policy_data(
                 slice_data = &subscription_data.slice[0];
 
                 for (i = 0; i < slice_data->num_of_session; i++) {
-                    ogs_session_t *session = &slice_data->session[i];
+                    ogs_session_t *session = NULL;
+
+                    if (i >= OGS_MAX_NUM_OF_SESS) {
+                        ogs_warn("Ignore max session count overflow [%d>=%d]",
+                            slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
+                        break;
+                    }
+
+                    session = &slice_data->session[i];
                     ogs_assert(session);
                     ogs_assert(session->name);